Initial Settings : Sudo Settings2019/07/10 |
|
Configure Sudo to separate users' duty if some people share privileges.
|
|
| [1] | Install Sudo. |
|
root@dlp:~# apt -y install sudo |
| [2] | Transfer root privilege to a user all. |
|
root@dlp:~#
# add to the end : user [buster] can use all root privilege # how to write ⇒ destination host=(owner) command buster ALL=(ALL:ALL) ALL # push [Ctrl + x] key to quit visudo
# verify with user [buster] buster@dlp:~$ /usr/sbin/reboot Failed to set wall message, ignoring: The name org.freedesktop.PolicyKit1 was not provided by any .service files Failed to reboot system via logind: The name org.freedesktop.PolicyKit1 was not provided by any .service files Failed to open initctl fifo: Permission denied Failed to talk to init daemon. # denied
sudo /usr/sbin/reboot
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for buster: # buster's password
.....
.....
# possible execute
|
| [3] | In addition to the setting [1], set that some commands are not allowed. |
|
root@dlp:~#
# add aliase for the kind of shutdown commands # Cmnd alias specification Cmnd_Alias SHUTDOWN = /usr/sbin/halt, /usr/sbin/shutdown, \ /usr/sbin/poweroff, /usr/sbin/reboot, /usr/sbin/init, /usr/bin/systemctl # add ( commands in aliase [SHUTDOWN] are not allowed ) buster ALL=(ALL:ALL) ALL, !SHUTDOWN # verify with user [buster] buster@dlp:~$ sudo /usr/sbin/reboot [sudo] password for buster: Sorry, user buster is not allowed to execute '/usr/sbin/reboot' as root on dlp.srv.world. # denied
|
| [4] | Transfer some commands with root privilege to users in a group. |
|
root@dlp:~#
# add aliase for the kind of user management commands # Cmnd alias specification
Cmnd_Alias USERMGR = /usr/sbin/adduser, /usr/sbin/useradd, /usr/sbin/newusers, \
/usr/sbin/deluser, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd
# add to the end
%usermgr ALL=(ALL:ALL) USERMGR
# verify with user [buster] buster@dlp:~$ sudo /usr/sbin/useradd testuser buster@dlp:~$ buster@dlp:~$ sudo /usr/bin/passwd testuser Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully # possible execute
|
| [5] | Transfer some specific commands with root privilege to a user. |
|
root@dlp:~#
# add to the end : set specific commands to each user
fedora ALL=(ALL:ALL) /usr/sbin/visudo
cent ALL=(ALL:ALL) /usr/sbin/adduser, /usr/sbin/useradd, /usr/sbin/newusers, \
/usr/sbin/deluser, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd
ubuntu ALL=(ALL:ALL) /usr/bin/vim
# possible open and edit ## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## # verify with user [cent] cent@dlp:~$ sudo /usr/sbin/userdel -r testuser
cent@dlp:~$
# possible execute
# verify with user [ubuntu]
ubuntu@dlp:~$
sudo /usr/bin/vim /root/.profile
# possible open and edit # ~/.profile: executed by Bourne-compatible login shells. |
| [6] | The logs for sudo are kept in [/var/log/auth.log], but there are many kind of logs in it. If you'd like to keep only sudo's log in another file, Configure like follows. |
|
root@dlp:~#
# add to the end Defaults syslog=local1
root@dlp:~#
vi /etc/rsyslog.conf # line 61: add local1.* /var/log/sudo.log auth,authpriv.*;local1.none /var/log/auth.logroot@dlp:~# systemctl restart rsyslog |
| Sponsored Link |